You are conducting penetration testing against a website supported by a relational database by creating an identity equation as a login input to manipulate and bypass the authentication procedure. Which of the following tactics, techniques, and procedures (TTP) you most likely used?
A. Polyinstantiation
B. Reflected cross-site scripting
C. Data manipulation language
D. Noise and perturbation data

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Data manipulation language.

This question describes the common SQL injection scenario that employs the so-called “identity equation” like 1=1. The attacking can input SQL expression to exploit the vulnerability of a poorly developed back-end program. SELECT, a keyword of the data manipulation language (DML), is one of the most commonly used in the authentication procedure.

Reflected cross-site scripting (XSS) is one type of XSS attack, but it doesn’t download malicious code/javascript from the webserver but submit an HTTP request in which the URL contains malicious code that in turn is reposed back to the browser. XSS typically employs malicious JavaScript, instead of SQL statements.

Identity Equation as a SQL Expression

The attacker inputs the identity equation as a SQL expression (Source: Guru99)

Poorly Developed Back-end Program

Poorly developed back-end program (Source: Guru99)

Types of SQL Commands

Types of SQL Commands (Source: geeksforgeeks)



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您正在對經由關聯式資料庫支持的網站進行滲透測試,並透過建立恆等式作為登入的資料來操縱和繞過身份驗證程序。 您最有可能使用以下哪種戰術、技術和程序(TTP)?
A. 多實例 (Polyinstantiation)
B. 反射式跨站腳本 (Reflected cross-site scripting)
C. 資料操作語言 (Data manipulation language)
D. 噪音和擾動數據 (Noise and perturbation data)

Leave a Reply